Add single-path symex checker

peterschrammel · peterschrammel · commit 0acbd3977aa5 · 2019-02-02T15:12:43.000Z
Extends single_path_symex_only_checkert with
calling the solver and returning traces.
diff --git a/src/goto-checker/Makefile b/src/goto-checker/Makefile
@@ -7,6 +7,7 @@ SRC = bmc_util.cpp \
       goto_verifier.cpp \
       multi_path_symex_checker.cpp \
       multi_path_symex_only_checker.cpp \
+      single_path_symex_checker.cpp \
       single_path_symex_only_checker.cpp \
       properties.cpp \
       report_util.cpp \
diff --git a/src/goto-checker/single_path_symex_checker.cpp b/src/goto-checker/single_path_symex_checker.cpp
@@ -0,0 +1,238 @@
+/*******************************************************************\
+
+Module: Goto Checker using Single Path Symbolic Execution
+
+Author: Daniel Kroening, Peter Schrammel
+
+\*******************************************************************/
+
+/// \file
+/// Goto Checker using Single Path Symbolic Execution
+
+#include "single_path_symex_checker.h"
+
+#include <chrono>
+
+#include "bmc_util.h"
+#include "counterexample_beautification.h"
+#include "symex_bmc.h"
+
+single_path_symex_checkert::single_path_symex_checkert(
+  const optionst &options,
+  ui_message_handlert &ui_message_handler,
+  abstract_goto_modelt &goto_model)
+  : single_path_symex_only_checkert(options, ui_message_handler, goto_model)
+{
+}
+
+incremental_goto_checkert::resultt single_path_symex_checkert::
+operator()(propertiest &properties)
+{
+  resultt result(resultt::progresst::DONE);
+
+  // Unfortunately, the initial symex run is currently handled differently
+  // from the subsequent runs
+  if(!initial_symex_has_run)
+  {
+    initial_symex_has_run = true;
+    first_equation = symex_target_equationt();
+    symex_bmct symex(
+      ui_message_handler,
+      goto_model.get_symbol_table(),
+      first_equation.value(),
+      options,
+      *worklist);
+
+    setup_symex(symex);
+    perform_symex(
+      goto_model,
+      symex,
+      symex_symbol_table,
+      first_equation.value(),
+      options,
+      ns,
+      ui_message_handler);
+
+    output_coverage_report(
+      options.get_option("symex-coverage-report"),
+      goto_model,
+      symex,
+      ui_message_handler);
+
+    if(symex.get_remaining_vccs() > 0)
+    {
+      prepare(result, properties, first_equation.value());
+      decide(result, properties);
+
+      if(result.progress == resultt::progresst::FOUND_FAIL)
+        return result;
+    }
+  }
+
+  // There might be more solutions from the previous equation.
+  if(property_decider)
+  {
+    decide(result, properties);
+    if(result.progress == resultt::progresst::FOUND_FAIL)
+      return result;
+  }
+
+  if(first_equation.has_value())
+  {
+    // We are in the second iteration. We don't need the equation
+    // from the first iteration anymore.
+    first_equation = {};
+  }
+  else
+  {
+    if(!worklist->empty())
+    {
+      // We are in iteration 3 or later; we pop the item processed
+      // in the previous iteration.
+      worklist->pop();
+    }
+    else
+    {
+      // We are already done.
+    }
+  }
+
+  while(!worklist->empty())
+  {
+    path_storaget::patht &resume = worklist->peek();
+    symex_bmct symex(
+      ui_message_handler,
+      goto_model.get_symbol_table(),
+      resume.equation,
+      options,
+      *worklist);
+
+    setup_symex(symex);
+    perform_symex(
+      goto_model,
+      symex,
+      resume,
+      symex_symbol_table,
+      options,
+      ns,
+      ui_message_handler);
+
+    output_coverage_report(
+      options.get_option("symex-coverage-report"),
+      goto_model,
+      symex,
+      ui_message_handler);
+
+    if(symex.get_remaining_vccs() > 0)
+    {
+      prepare(result, properties, resume.equation);
+      decide(result, properties);
+
+      if(result.progress == resultt::progresst::FOUND_FAIL)
+        return result;
+    }
+
+    worklist->pop();
+  }
+
+  // For now, we assume that NOT_REACHED properties are PASS.
+  update_status_of_not_checked_properties(
+    properties, result.updated_properties);
+
+  // For now, we assume that UNKNOWN properties are PASS.
+  update_status_of_unknown_properties(properties, result.updated_properties);
+
+  // Worklist is empty: we are done.
+  return result;
+}
+
+goto_tracet single_path_symex_checkert::build_trace() const
+{
+  if(options.get_bool_option("beautify"))
+  {
+    counterexample_beautificationt()(
+      dynamic_cast<boolbvt &>(property_decider->get_solver()),
+      property_decider->get_equation());
+  }
+  goto_tracet goto_trace;
+  ::build_error_trace(
+    goto_trace,
+    ns,
+    property_decider->get_equation(),
+    property_decider->get_solver(),
+    ui_message_handler);
+  return goto_trace;
+}
+
+const namespacet &single_path_symex_checkert::get_namespace() const
+{
+  return ns;
+}
+
+void single_path_symex_checkert::output_error_witness(
+  const goto_tracet &goto_trace)
+{
+  output_graphml(goto_trace, ns, options);
+}
+
+void single_path_symex_checkert::output_proof()
+{
+  // This is incorrect, but the best we can do at the moment.
+  const path_storaget::patht &resume = worklist->peek();
+  output_graphml(resume.equation, ns, options);
+}
+
+void single_path_symex_checkert::prepare(
+  resultt &result,
+  propertiest &properties,
+  symex_target_equationt &equation)
+{
+  update_properties_status_from_symex_target_equation(
+    properties, result.updated_properties, equation);
+
+  property_decider = util_make_unique<goto_symex_property_decidert>(
+    goto_symex_property_decidert(options, ui_message_handler, equation, ns));
+
+  log.status() << "Passing problem to "
+               << property_decider->get_solver().decision_procedure_text()
+               << messaget::eom;
+
+  convert_symex_target_equation(
+    equation, property_decider->get_solver(), ui_message_handler);
+  property_decider->update_properties_goals_from_symex_target_equation(
+    properties);
+  property_decider->convert_goals();
+  property_decider->freeze_goal_variables();
+}
+
+void single_path_symex_checkert::decide(
+  resultt &result,
+  propertiest &properties)
+{
+  auto solver_start = std::chrono::steady_clock::now();
+
+  log.status() << "Running "
+               << property_decider->get_solver().decision_procedure_text()
+               << messaget::eom;
+
+  property_decider->add_constraint_from_goals(
+    [&properties](const irep_idt &property_id) {
+      return is_property_to_check(properties.at(property_id).status);
+    });
+
+  decision_proceduret::resultt dec_result = property_decider->solve();
+
+  property_decider->update_properties_status_from_goals(
+    properties, result.updated_properties, dec_result, false);
+
+  auto solver_stop = std::chrono::steady_clock::now();
+  log.status()
+    << "Runtime decision procedure: "
+    << std::chrono::duration<double>(solver_stop - solver_start).count() << "s"
+    << messaget::eom;
+
+  if(dec_result == decision_proceduret::resultt::D_SATISFIABLE)
+  {
+    result.progress = resultt::progresst::FOUND_FAIL;
+  }
+}
diff --git a/src/goto-checker/single_path_symex_checker.h b/src/goto-checker/single_path_symex_checker.h
@@ -0,0 +1,55 @@
+/*******************************************************************\
+
+Module: Goto Checker using Single Path Symbolic Execution
+
+Author: Daniel Kroening, Peter Schrammel
+
+\*******************************************************************/
+
+/// \file
+/// Goto Checker using Single Path Symbolic Execution
+
+#ifndef CPROVER_GOTO_CHECKER_SINGLE_PATH_SYMEX_CHECKER_H
+#define CPROVER_GOTO_CHECKER_SINGLE_PATH_SYMEX_CHECKER_H
+
+#include <util/optional.h>
+
+#include "goto_symex_property_decider.h"
+#include "goto_trace_provider.h"
+#include "single_path_symex_only_checker.h"
+#include "solver_factory.h"
+#include "witness_provider.h"
+
+class single_path_symex_checkert : public single_path_symex_only_checkert,
+                                   public witness_providert,
+                                   public goto_trace_providert
+{
+public:
+  single_path_symex_checkert(
+    const optionst &options,
+    ui_message_handlert &ui_message_handler,
+    abstract_goto_modelt &goto_model);
+
+  resultt operator()(propertiest &) override;
+
+  goto_tracet build_trace() const override;
+  const namespacet &get_namespace() const override;
+
+  void output_error_witness(const goto_tracet &) override;
+  void output_proof() override;
+
+  virtual ~single_path_symex_checkert() = default;
+
+protected:
+  bool initial_symex_has_run = false;
+  optionalt<symex_target_equationt> first_equation; // for building traces
+  std::unique_ptr<goto_symex_property_decidert> property_decider;
+
+  void prepare(
+    resultt &result,
+    propertiest &properties,
+    symex_target_equationt &equation);
+  void decide(resultt &result, propertiest &properties);
+};
+
+#endif // CPROVER_GOTO_CHECKER_SINGLE_PATH_SYMEX_CHECKER_H
